Option 2: Check NVE or NSE on systems running ONTAP 9.6 and later
Before shutting down the impaired controller, you need to verify whether the system has either NetApp Volume
Encryption (NVE) or NetApp Storage Encryption (NSE) enabled. If so, you need to verify the configuration.
1.
Verify whether NVE is in use for any volumes in the cluster:
volume show -is-encrypted true
If any volumes are listed in the output, NVE is configured and you need to verify the NVE configuration. If
no volumes are listed, check whether NSE is configured and in use.
2.
Verify whether NSE is configured and in use:
storage encryption disk show
â—¦ If the command output lists the drive details with Mode & Key ID information, NSE is configured and
you need to verify the NSE configuration and in use.
â—¦ If no disks are shown, NSE is not configured.
◦ If NVE and NSE are not configured, no drives are protected with NSE keys, it’s safe to shut down the
impaired controller.
Verify NVE configuration
1.
Display the key IDs of the authentication keys that are stored on the key management servers:
security
key-manager key-query
After the ONTAP 9.6 release, you may have additional key manager types. The types are KMIP,
AKV, and GCP. The process for confirming these types is the same as confirming external or
onboard key manager types.
•
If the
Key Manager type displays external and the Restored column displays yes, it’s safe to shut
down the impaired controller.
•
If the
Key Manager type displays onboard and the Restored column displays yes, you need to
complete some additional steps.
•
If the
Key Manager type displays external and the Restored column displays anything other than
yes, you need to complete some additional steps.
•
If the
Key Manager type displays onboard and the Restored column displays anything other than yes,
you need to complete some additional steps.
1.
If the
Key Manager type displays onboard and the Restored column displays yes, manually back
up the OKM information:
a.
Go to advanced privilege mode and enter
y when prompted to continue: set -priv advanced
b.
Enter the command to display the key management information:
security key-manager
onboard show-backup
c. Copy the contents of the backup information to a separate file or your log file. You’ll need it in
disaster scenarios where you might need to manually recover OKM.
d.
Return to admin mode:
set -priv admin
e. Shut down the impaired controller.
2.
If the
Key Manager type displays external and the Restored column displays anything other than
yes:
a.
Restore the external key management authentication keys to all nodes in the cluster: security
309
To Next Page
Loading...
Need help?
General
